The Man Who Wrote the Rules on Password Safety Says It Hasn't Helped

In a surprising turn of events, the man who literally wrote the rules on password safety now says that he regrets it. According to an article by Robert McMillan for the Wall Street Journal, Bill Burr of the National Institute of Standards and Technology wrote the guidelines that many of us still follow today, some fourteen years later.

Those safety rules recommended that a “good” password would contain at least eight characters, a combination of uppercase and lowercase letters, and at least one number and one symbol. Burr further went on to include the need to only use that password on one account, as well as to change the password at least every ninety days in order to keep people from continuing to access your account if they managed to obtain your password.

Now, Mr. Burr is retired and has a whole different viewpoint on his own guidelines: they don’t work. Whether through more sophisticated technology, human error, or mandates from software that require strict character requirements and changing deadlines, our accounts are apparently no better off than they were before.

It’s important to note a strong, unique password that you frequently change isn’t the security problem; more to the point, it’s the fact that users simply aren’t going to do it. Changing your password from “password1” to “password2” just because an error box popped up on your screen requiring you to change it doesn’t make your account any safer. Also, using “12345678!A,” which does fit the outlined requirements, isn’t hard to guess, especially for software that can attempt billions of password guesses per second.

Some industry experts see this as just another example of why we need biometric login credentials, such as the fingerprint sensor already used on some smartphones, tablets, and even computer keyboards. By requiring your fingerprint or even a facial recognition marker (something rumored to be coming in the next version of the iPhone, due out this fall) in order to access your account, it makes the work of hacking even harder.

For now, some users have found password success by employing little “tricks” for creating their passwords, such as thinking of a phrase they know very well and using just the first letter of each word in the phrase. For example, if your phrase was “I love the song These Boots Were Made For Walking!” your password could be “Iltstbwmfw!” It’s easily remembered, fits the criteria for many website password generators, and is unlikely to be guessed by a password bot.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.